[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2
Jan-Frode Myklebust
janfrode at tanso.net
Fri Mar 22 12:52:19 UTC 2013
On Fri, Mar 22, 2013 at 08:04:08AM -0400, Dmitri Pal wrote:
>
> In IPA/389 each user has a full list of the DNs of the groups he is a
> member of.
> Also the member attribute in the group is the list of DNs of all members
> and member groups.
> IPA/389 supports a dereference control.
>
> But the question is: what are you trying to accomplish?
I'm trying to get a RHEL5 server with Apache 2.2 to use LDAP to
authenticate users, and only let the users of select groups have access.
This is configured trough mod_authnz_ldap:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
The problem I have is that we want to give access to nested groups, and
this doesn't seem possible with mod_authnz_ldap in apache 2.2 (v2.4
supports nesting, not 2.2).
AuthType Basic
AuthName "Backend"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://ipa1.example.net/cn=accounts,dc=example,dc=net?uid?sub
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute member
#Require ldap-filter memberof:1.2.840.113556.1.4.1941:=cn=cactiaccess,cn=groups,cn=accounts,dc=example,dc=net
Require ldap-group cn=tvadmins, cn=groups, cn=accounts, dc=example, dc=net
Require ldap-group cn=nocdrift, cn=groups, cn=accounts, dc=example, dc=net
Require ldap-group cn=systemdrift, cn=groups, cn=accounts, dc=example, dc=net
This doesn't work with nested groups, and it's something like that
commented out ldap-filter I'm looking for as a solution..
> If you need to check whether the user is a member of the group it is a
> simple search using member attribute as a filter.
Could you give me an example of such a filter?
-jf
More information about the Freeipa-users
mailing list